Canada Post data breach affected 4,500 customers, OCS says

The Ontario Cannabis Store (OCS) says a data breach at Canada Post has caused some customers’ delivery information to be hacked.

In an email notice to customers, Patrick Ford, president and CEO of OCS said Canada Post notified them on Nov. 1 that about 2 per cent of customer orders, which is approximately 4,500 orders, was accessed by someone through Canada Post’s delivery tracking tool.

The OCS said that once they were made aware of the incident, they immediately engaged with the Office of the Information and Privacy Commissioners of Ontario about the breach.

They said they have been working with Canada Post to identify the cause of the issue and to prevent future incidents of breaches to customer privacy and information.

WATCH: Just weeks after recreational cannabis became legal to buy and sell, Ontario’s online system was exposed to a security flaw. Sean O’Shea reports.

2:06 Security Breach at Ontario Cannabis Store

“The OCS has encouraged Canada Post to take immediate action to notify their customers,” said the OCS in the email sent to customers. “To date, Canada Post has not taken action in this regard.”

In the notice, they state that a customer’s delivery information that might have been accessed in the breach includes: postal code, name or initials of the person who signed for the order, OCS reference number, Canada Post’s tracking number and the OCS corporate name and business address.

However, information like the name of the person who made the order, delivery address, payment information and the contents of the order were not involved in the breach and was not affected.

Canada Post tells Global News in an email statement that they are pleased the OCS has notified their customers of the issue.

They said since the incident, both organizations have been working closely to investigate and resolve the issue, and important fixes have been put in place to prevent further unauthorized access to customer information.

“We have also shared with OCS that we are confident that the customer who accessed the information only shared it with Canada Post and deleted it without distributing further,” said Canada Post in the statement.

Tweet This Click to share quote on Twitter: "We have also shared with OCS that we are confident that the customer who accessed the information only shared it with Canada Post and deleted it without distributing further," said Canada Post in the statement.

Canada Post said they’ve also notified the Federal Privacy Commissioner about the breach.

According to a cybersecurity expert, while the demand for cannabis could be a reason for hacks, this particular incident might be a design flaw or mistake in the delivery tracking system.

“Normally, when systems like these are designed, in this case it seems to be a tracking system. They’re not designed with security in mind,” said David Masson, country manager for Darktrace, a cybersecurity company.

“People come up with a process and at the very end, decide to put some security in. You need to be doing this right at the beginning of the process, not at the end, because inevitably mistakes will be made.”

Tweet This Click to share quote on Twitter: "People come up with a process and at the very end, decide to put some security in. You need to be doing this right at the beginning of the process, not at the end, because inevitably mistakes will be made."

Masson said that there was a good chance a data breach for the OCS was predictable due to the current demand for cannabis online.

“Whether that’s information just using or manipulating as part of the natural commercial processes – or in this case, being used to actually distribute the product.”

–With files from Sean O’Shea

View image in full screen